b"                 UNITED STATES DEPARTMENT OF EDUCATION\n                                      OFFICE OF INSPECTOR GENERAL\n\n                                                  Information Technology Audits and Computer Crime Investigations\n\n\n\n\nDATE:        September 24, 2010\n\nTO:          Tony Miller\n             Deputy Secretary\n\n             William J. Taggart\n             Chief Operating Officer\n             Federal Student Aid\n\nFROM:        Charles E. Coe Jr. /s/\n             Assistant Inspector General\n             Information Technology Audits and Computer Crime Investigations\n\nSUBJECT: Investigative Program Advisory Report\n         Weaknesses in the Process for Handling Compromised Privileged Accounts\n         (09-220005) Control No. L21K0002\n\nThe Office of Inspector General (OIG) conducted an investigative project from February 1 to\nJune 30, 2010, to determine whether compromised privileged accounts were used by\nunauthorized individuals and to evaluate the Department\xe2\x80\x99s process for handling compromised\nprivileged accounts. During this project, OIG found that:\n\n   \xe2\x80\xa2    FSA does not identify all individuals whose data were potentially compromised\n   \xe2\x80\xa2    The Department and FSA failed to conduct adequate log reviews of compromised\n        privileged accounts to identify unauthorized activity.\n   \xe2\x80\xa2    FSA keeps inadequate records of its remediation efforts for compromised privileged\n        accounts.\n   \xe2\x80\xa2    Two-factor authentication has not yet been required for remote access to Department and\n        FSA systems.\n\nTo ensure that compromised privileged Department and FSA accounts are properly identified\nand analyzed and to prevent unauthorized access to Department systems, we made four\nrecommendations:\n\n   1. Identify all potentially compromised PII by analyzing all account activity during the\n      period that the privileged account was compromised.\n   2. Revise current methodology used to identify suspicious activity that indicates\n      unauthorized access into privileged accounts. Log reviews of account activity should\n      include, at a minimum, an analysis of originating IP addresses, login times, and amount\n      of activity. If suspicious activity is identified, the user should be contacted to determine\n      whether the user was responsible for the activity. Suspected unauthorized access to\n\n                                                 550 12th St SW, Suite 8000\n                                                  Washington, DC 20202\n\n                  The Department of Education's mission is to promote student achievement and preparation\n                  for global competitiveness by fostering educational excellence and ensuring equal access.\n\x0cPage 2 \xe2\x80\x93 IPAR: Weaknesses in the Process for Handling Compromised Privileged Accounts\n\n\n       government systems should be immediately reported in accordance with Handbook\n       OCIO-14, \xe2\x80\x9cHandbook for Information Security Incident Response and Reporting\n       Procedures.\xe2\x80\x9d\n    3. Track compromised accounts and PII and the date of compromise, account deactivations,\n       owner/borrower notifications, and the date and results of the account log review.\n    4. As recommended by OMB Memorandum M-06-16, implement two-factor authentication\n       on any system where a user can log into a privileged account from the Internet, with an\n       emphasis placed on financial systems and systems containing large volumes of PII.\n\nAttached is the subject Investigative Program Advisory Report (IPAR) that covers our review of\nWeaknesses in the Process for Handling Compromised Privileged Accounts.\n\nCorrective actions proposed (resolution phase) and implemented by your office will be\nmonitored and tracked in the Audit Accountability and Resolution Tracking System (AARTS).\nThe Office of the Chief Information Officer will be responding on behalf of the Office of the\nDeputy Secretary. ED policy requires that you develop a final corrective action plan (CAP) for\nour review in the automated system within 45 days of the issuance of this report. The CAP\nshould set forth the specific action items, and targeted completion dates, necessary to implement\nfinal corrective actions on the findings and recommendations contained in this IPAR.\n\nIf you have any questions concerning this IPAR, please contact Special Agent in Charge, Mark\nA. Smith at (202) 245-7019.\n\n\nAttachment\n\ncc: Danny Harris, Chief Information Officer (CIO)\n    Richard Gordon, CIO, FSA\n    Charles Rose, General Counsel\n    Phillip Loranger, Chief Information Security Officer\n    Robert Ingwalson, Computer Security Officer, FSA\n\x0c"